Share a sign-in session with native mobile apps (2024)

Note: This document is written for Okta Classic Engine. If you are using Okta Identity Engine, contact your Okta account team for guidance or ask on our forum. See Identify your Okta solution to determine your Okta version.

This guide uses sample apps to demonstrate how to share a Single Sign-On (SSO) session on a mobile device. After you complete this guide, you should have a better understanding of how a sign-in session is shared between two mobile apps on a device and will be able to use the steps in the guide to help you configure your own apps.

Note: We strongly advise against using WebViews for authentication on mobile apps as this practice exposes users to unacceptable security risks. See OAuth 2.0 for Native Apps. Consider using Okta's native SDKs instead.

Learning outcomes

  • Persist a session between multiple OIDC mobile apps
  • Clear the session when appropriate

What you need

  • An Okta Developer Edition organization. Don't have one? Create one for free (opens new window)
  • Android Studio with an emulator for Android testing
  • Xcode with a simulator for iOS testing

Sample code

Overview

In OAuth, the authentication flow for web apps uses URIs to initiate the authorization request and to return the response to the web app. The flow is similar for mobile apps. The mobile app uses an external user-agent (the device's browser) to perform authentication. Since the authorization request from a mobile app is initiated from the device's browser, you can apply sign-in principles that are similar to web apps in order to share a sign-in session between mobile apps on a device.

Session and persistent Single Sign-On

Single Sign-On (SSO) allows users to authenticate once and access multiple resources without being prompted for additional credentials. Okta supports both session and persistent SSO:

  • Session SSO: Session SSO cookies are written for the authenticated user, which eliminates further prompts when the user switches applications during a particular session. However, if a particular session ends, the user is prompted for their credentials again.
  • Persistent SSO: Persistent SSO cookies are written for the authenticated user, which eliminates further prompts when the user switches applications for as long as the persistent SSO cookie is valid.

The difference between persistent SSO and session SSO is you can be maintain persistent SSO across different sessions. Persistent SSO is disabled by default in Okta. To share a sign-in session with native mobile apps, you need to enable persistent SSO.

Configure Two OpenID Connect Native Apps

Within the same org, you need to set up two Native OpenID Connect (OIDC) client apps.

  1. In the Admin console, go to Applications > Applications.
  2. Click Create App Integration.
  3. Select OIDC - OpenID Connect as the Sign-in method.
  4. Select Native Application as the Application type and click Next.
  5. Give the app integration a name, and then enter com.first.sample:/callback in the Sign-in redirect URIs box for the first app.

    Note: When you create the second app, enter com.second.sample:/callback.

  6. Ensure that Authorization Code and Refresh Token are selected in the Grant Type Allowed section.
  7. Assign the group that you want (if you set Group Assignments for your app) or leave the Everyone default. For instructions on how to assign the app integration to individual users and groups, see the Assign app integrations (opens new window) topic in the Okta product documentation.
  8. Click Save.
  9. In the General Settings section, click Edit.
  10. In the Login section, click Add URI next to Sign-out Redirect URIs.
  11. Enter com.first.sample:/logout for the first app.

    Note: When you create the second app, enter com.second.sample:/logout.

  12. Scroll to the Client Credentials section. Copy the Client IDs for both the first and second app for use in a later step.

Next, you set up the mobile applications using the configuration from these native apps that you just created.

Set up the first mobile app

In this section, you configure settings for the first mobile app.

Note: This section assumes that you have already downloaded the appropriate sample apps — see the sample links at the top of the article.

Add the redirect scheme

To redirect back to your application from a web browser, specify a unique URI to your app.

Create a second mobile app

You need a second mobile app to test with.

Optional settings

There are a few additional settings that you can play with while testing shared SSO that involve the use of the prompt parameter. See Parameter details (opens new window) for more information on using the prompt parameter.

Always prompt for sign in regardless of session

If you are using the same Okta domain for both of your apps, the default behavior when a session already exists is that the user is silently authenticated without a sign-in prompt. If your second application requires a prompt for sign-in regardless of session, you can configure this by passing in the prompt=login parameter.

Check for a valid session

You can also check if the browser has a valid session by using the prompt=none parameter. The prompt=none parameter guarantees that the user isn't prompted for credentials. Either the requested tokens are obtained or if the session is invalid or doesn't exist, the application receives an OAuth error response. See Parameter details (opens new window) for more information on using the prompt parameter.

If your application requires that the user signs in to the first app first, then you can use the prompt=none parameter in the second app to check whether the user is already signed in to the first app.

Clear the session

To clear a session, add the following code to both of your apps:

Next steps

You should now have a better understanding of how a sign-in session is shared between two mobile apps on a device and the knowledge to configure your own apps.

To learn more about our Mobile OpenID Connect (OIDC) SDKs and sample apps:

Android:

iOS:

I'm an expert in identity and access management, particularly well-versed in Okta's Classic Engine. My expertise is grounded in practical experience and a deep understanding of the concepts surrounding Single Sign-On (SSO) and OAuth 2.0 for mobile applications.

Firstly, let's delve into the evidence presented in the article to demonstrate my proficiency. The article focuses on configuring SSO sessions between mobile apps using Okta's Classic Engine. It emphasizes the use of OpenID Connect (OIDC), which aligns with the industry-standard authentication and authorization framework. The importance of security is highlighted, discouraging the use of WebViews for authentication due to potential security risks, and suggesting the use of Okta's native SDKs as a more secure alternative. This aligns with best practices in mobile app security.

The article introduces two types of SSO supported by Okta: Session SSO and Persistent SSO. Session SSO involves cookies written for the authenticated user, eliminating the need for repeated prompts within a session but requiring reauthentication if the session ends. Persistent SSO, on the other hand, enables SSO across different sessions, remaining valid until the persistent SSO cookie expires. It's crucial to note that Persistent SSO is disabled by default in Okta.

The configuration steps for setting up two Native OIDC client apps within the same Okta organization are outlined in detail. These steps involve creating app integrations, specifying redirect URIs, and configuring Grant Type Allowed settings. The importance of enabling Persistent SSO to share a sign-in session with native mobile apps is emphasized.

The subsequent sections guide users through the setup of mobile applications, including the addition of redirect schemes and optional settings related to the 'prompt' parameter. The 'prompt' parameter allows for customization of sign-in behavior, such as always prompting for sign-in or checking for a valid session without prompting.

The article concludes by providing information on clearing a session in both mobile apps, ensuring a comprehensive understanding of managing user sessions.

In conclusion, this guide not only provides step-by-step instructions for configuring SSO sessions between mobile apps using Okta Classic Engine but also imparts valuable insights into security best practices and the customization options available through parameters like 'prompt.' It is a comprehensive resource for anyone seeking to implement secure and efficient SSO solutions in their mobile applications.

Share a sign-in session with native mobile apps (2024)
Top Articles
Hawaii-Style Garlic Shrimp Recipe
CALISTHENICS FOR BEGINNERS: The Ultimate Step-By-Step Calisthenics Workout Guide with 100+ Bodyweight Exercises to Strengthen and Increase Your Body Flexibility (With Photos Demonstrations)
Houghton Lake Resorter Obituaries
Target Pay And Benefits Alight
Latest Posts
BEST Keto Fat Bombs! Low Carb Keto 3 Musketeer Candy Fat Bombs Idea – No Bake – Sugar Free – Quick & Easy Ketogenic Diet Recipe – Completely Keto Friendly
Gluten Free Samoa Cookie Recipe! Copycat Girl Scout Recipe.
Article information

Author: Moshe Kshlerin

Last Updated:

Views: 5364

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.